NFC yet to secure its role in securing mobile payments

Novel approaches, such as Host Card Emulation (HCE) and potential threats such as the emergence of Bluetooth Low Energy – another technology standard for exchanging data wirelessly over very short distances – have brought into sharp focus the disappointing pace of development of mobile Near Field Communications (NFC), notably for financial transactions.

Indeed, a recent report from a major consultancy into the prospects for NFC suggests it offers huge potential for mobile payments, but adds this comes with high risk and uncertainty. That was pretty much the conclusion reached by New Electronics some four years ago, the last time it published a major review of the technology.

However, there have been advances and NFC is beginning to make major inroads in other applications, mainly consumer focused, in addition to its established use in transportation via contactless cards such as the Oyster in London.

The message seems to be that NFC technology per se is great, but the 'tap and pay' element has been overemphasised and that, for the moment, 'transactions' in the broader sense – exchanges of data authorised by proximity – is where the focus should be. This will get consumers familiar with the technology and help overcome resistance.

"We saw a host of applications being demonstrated at the recent Consumer Electronics Show: NFC chips in cameras, TVs, printers, remote controls. There are lots of potential use cases in the automotive sector, we are seeing deployment in stickers on posters, magazine ads that provide useful information and URLs when users can scan codes with their phones; in stickers on toys and action figures to create online experiences, in smart clothing," Alexander Rensink, strategic marketing director at NXP's Identification unit, and recently elected one of two vice chairmen of the NFC Forum, told New Electronics. "The key is that NFC can be used to couple the physical and virtual worlds."

But payment using mobile phones has long been seen as the end game for proponents of NFC, and remains so. The problem is there are too many players, some of whom – network operators, the finance sector, card issuers or secure element suppliers, for example – are getting in the way of building a mature ecosystem for m-commerce.

"There are just too many vested interests clogging up the system, making it more challenging than it should have been," said Neil Garner, founder and CEO of Proxama, a specialist consultancy focusing on proximity marketing and m-commerce. "But, with almost all smartphones now incorporating NFC capability – except of course Apple's – we are predicting a major push."

The take up of NFC in mobiles has been impressive after what Rensink described as a 'disappointing' early few years. A recent report from market research group IHS suggested 275million phones with NFC capability shipped in 2013, up from 120m the previous year. It is projected to grow by 50% this year to reach 416m handsets. Looking at it another way, IHS says NFC was integrated into just 18.2% of the 1.5billion mobile phones shipped in 2013, it will increase to an attach rate of 64% by 2018.

John Devlin, practice director at market research group ABI, said the highest level of adoption is currently in the mid tier smartphone sector, where about half of the handsets are NFC enabled and most of which are Android based. "We expect to see a big uptake when Windows based phones start appearing in volumes," he said. "And the fact the high end market is lagging is hardly surprising in view of Apple's decision not to add NFC and to prioritise Bluetooth Low Energy. I doubt we will see iPhones with embedded NFC this year, but all the indications are – including the fact it has taken out hosts of patents in the area – that Apple will enter the fray in the near future."

Editor's note
John Devlin has contacted New Electronics and says he was misquoted. What he would like to say is:
"The biggest factor driving shipments this year and next will be the adoption of NFC in low end Android phones and, to a lesser extent, what happens with Windows based handsets."
New Electronics is pleased to provide clarification.

NXP remains the leading NFC controller chip supplier – Rensink suggests its technology is in eight of the top 10 phones currently shipping – and industry sources suggest it has just scored a major win over arch enemy Broadcom. Although no one is confirming it – and we won't know until the teardowns start appearing – it is understood Samsung has switched back to NXP's PN547 NFC controller chip in the Galaxy S5 for most planned shipments, although it has missed out on the embedded secure element contract. NXP suffered a significant hit last year when Broadcom was chosen for the Galaxy S4, as well as for LG's flagship S2.

Nevertheless, the two will soon have to start competing against newcomers Qualcomm and MediaTek, both of whom have introduced standalone NFC chips designed to work with their processors and device reference designs.

One reason suggested for the PN547 being designed into the Galaxy S5 is NXP's strong support for what is becoming a key strategic battleground in the payments sector – Host Card Emulation. Interest in the process has soared since Google adopted it for the 4.4 KitKat version of its Android OS and increased significantly last month when the two big global payment companies, Visa and MasterCard, said they fully backed the effort and would come up with detailed specifications by the middle of the year while continuing to support their applications on secure elements (SE) in NFC phones.

HCE allows card issuers to put their NFC application in the cloud whilst, at the same time, using the growing base of POS terminals. Transactions would continue to use the NFC specification's card emulation mode but, rather than the communication being routed from the POS terminal through the NFC controller and hence to the secure element, it would go from the controller to the phone's host processor.

In this way, HCE effectively severs the dependency of NFC payments on an embedded secure element or SIM card, relying instead on a virtual SE on remote servers. This poses a huge challenge for mobile operators and for banks, notably in Europe, who are already questioning whether HCE implementations can ever reach the level of security offered by NFC SIMs and other smart card technology. At least in its current configuration, it is not possible to use HCE with Mifare based applications, currently the most widely used contactless payment technology worldwide in terms of number of cards issued and terminals installed.

So, whilst HCE is clearly a promising technology and one that offers another option for those deploying payments systems, possibly offering a faster route to market, it is also clear it has a lot of maturing to do. And there are many who believe it should not, and will not, come down to a choice between SEs or HCE; rather, it should be a combination of the two.

Are security concerns holding back the wider use of NFC technology?Security has long been one of the key issues for proponents and potential users of NFC based services alike. A recent survey by consultancy Ovum suggested lack of security was the main reason why there is reticence about using mobile wallets or mobile commerce.

The topic is also a live and divisive one within the industry: some insisting the technology is flawed; others argue that NFC based payment, through either contactless cards or mobile phones, is perfectly secure and certainly more so than chip-and-pin.

This latter assertion is regularly rocked by serious and serial hackers, academic studies and anecdotal evidence; the latter exemplified by reports last year that customers in several retail outlets experienced payment deductions from contactless cards while paying for other goods.

Referring specifically to a couple of reported incidents at Marks and Spencer, Neil Garner, CEO of mobile payments specialist Proxama, said: "This must have been down to user error. Contactless cards can only be powered up at distances of some 3 to 4cm." What most likely happened is that customers were charged unintentionally when they placed their bag or purse on or next to the reader while they retrieved their chip-and-pin card, suggests Garner.

A more recent report by researchers from the University of Surrey's computing department showed that NFC transmissions can be received successfully from distances of up to 80cm, using simply assembled and inconspicuous equipment. "The results have an impact on how much we can rely on physical proximity as a 'security feature' of NFC devices," said lead academic supervisor Dr Johann Briffa. "Designers of applications using NFC need to consider privacy because the intended short range of the channel is no defence against a determined eavesdropper."

The team used a pocket sized cylindrical antenna, an off the shelf receiver and a laptop with a digital acquisition card, mostly contained in a back pack and nothing that would raise suspicion in a supermarket queue or a crowded place.

"We were not exactly surprised at our findings: other published work had already indicated problems in this area. The novelty of our work was that we did not simply ascertain that we received data, we also measured systematically how reliably we could receive it at different distances and then calculated the bit and frame error rates," Dr Briffa told New Electronics. Although the reliability of the interception was seen to decrease with the distance, the researchers said they had a success rate of almost 100% at distances from 50 to 60cm.

"The key message from our work is that the NFC design community must ensure its authentication and communication protocols work reliably and securely in all circumstances," added Dr Briffa.

He did concede that the card data that could be obtained by a hacker using his team's set up would be limited. "The next stage of the project would be to analyse this in more detail."

The point was readily emphasised by the UK Cards Association. A spokesman told New Electronics that fraud using contactless cards is 'extremely rare'. "Although the kind of contactless card reader built by the University of Surrey might be able to interrogate a card, the data obtained would be limited to the card number and expiry date." The spokesman added there are numerous additional layers of security, so a fraudster harvesting this limited data would find it very difficult to make a fraudulent transaction and stressed the information 'certainly could not be used to make a cloned card'.

For all that, hackers are a determined and resourceful species and will find flaws in what are apparently secure devices and systems. One of the most active hackers, at least until he joined Twitter as a security specialist late last year, was Charlie Miller, who worked for many years at the NSA.

At a recent Black Hat conference in Las Vegas, while still a consultant with Accuvant Labs, he stunned the audience by demonstrating serious security flaws in the NFC system found in a number of Android based smartphones, including Google's Nexus S and Samsung's Galaxy S.

Miller described how, when in close proximity to the target, he used another NFC chip to transmit a code that opens malicious files or Web pages that attack known vulnerabilities in a document reader, browser or in the operating system.

The vital issue, Miller said, is that phone users are not necessarily aware they have interacted with NFC, unlike when they click consciously on a URL.